1. Field of the Invention
The present invention relates to the process of signing on to applications. More specifically, the present invention relates to a method and an apparatus that facilitates single sign-on to web applications using dynamic directives.
2. Related Art
Modern web applications provide users with unprecedented access to data, much of which is private and intended to be accessed only by a single user. Web applications that allow a user to access private information typically require the user to be authenticated prior to accessing the private information. This authentication process typically requires to user to provide a user name and password, a digital certificate, or other type of authentication credential.
Users typically access many related web applications, which provide access to private data. In an effort to reduce the number of times that a user has to enter authentication credentials, some related web applications, (also called “partner applications,”) make use of a single sign-on server. By using a single sign-on server, a user has to enter authentication credentials only once to gain access to multiple partner applications and external applications.
A number of techniques can be used to enable an application to make use of a single sign on server. One technique involves integrating functions from a software development kit (SDK) into the application to enable the application to access the single sign-on server. This technique allows the application to control when and how the single sign-on server is accessed. However, it requires a considerable amount of programming effort to integrate the functions provided by the SDK into the application. Additionally, the technique must be separately applied to each of the partner applications.
Another technique is to provide a module on the web server that can access the single sign-on server on behalf of an application. Unfortunately, this technique does not allow the application to control how and when the single sign-on server is accessed. The application is therefore not able to provide either public data only, or both public and private data, depending on whether the user has been authenticated. Moreover, the module accesses the single sign-on server to authenticate the user, even if the user only wants to access public data from the application.
Hence, what is needed is a method and an apparatus that facilitates a single sign-on to a group of partner applications without the problems described above.